Archive for December, 2009

A variant of the Zeus bot (Zbot) was found using Amazon’s Elastic Computer Cloud (EC2) infrastructure for Command&Control commands to infected machines.

Zbot is a password-stealing software, logs financial data and sends them to the botnet. Last year more than 100M US fraud was linked with Zeus malware variants. It was also held responsible for the “destruction” of 100.000 infected computers by deleting registry key data, making them inoperable. Zeus botnet is estimated to consist of millions of infected computers around the world.

A new effective attack against Google’s CAPTCHA mechanisms was invented by a security researcher lately. The whole attack procedure is presented in a paper that was released on Saturday. The attack is based on OCR (Optical Character Recognition) techinques that used to evade Googles’ reCAPTCHA (CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart, for more information click here). reCAPTCHA is a recent security measure that Google uses so as to stop malicious scripts of doing important tasks without has been done first a specific authentication process. This process requires the sense of sight, that a computer script can’t have, so that optical puzzles can be solved first, in order to continue with the task execution.

Last month a new search engine appeared, called Shodan. It is a Computer Search Engine, available for free in public, allowing search for routers, servers, computers or any device that opens a port. It is based on a simple idea: Port scan, grab headers and index the results. Quoting Shodan’s quick guide, “SHODAN lets you find servers/ routers/ etc. by using the simple search bar up above. Most of the data in the index covers web servers at the moment, but there is some data on FTP, Telnet and SSH services as well. Let me know which services interest you the most and I’ll prioritize them in my scanning”.

The combined efforts of anti-spam products outperform any individual products alone, according to an experiment by Virus Bulletin, the independent security certification organisation.

In a comparative test, almost 200,000 sample emails were sent to 14 different anti-spam products that were required to filter out spam messages from legitimate smails (ham). The test found that no legitimate mail was blocked by more than four products.

According to McAfee and their third annual “Mapping the Mal Web” report, more than a third of Cameroon domains (TLD of .cm) are infested with viruses or other types of malicious software (malware) and scams. Given that it’s very easy to mis-type .com as .cm, this presents as an opportunity to attackers and a headache for Internet users. Second place on the most-infested domains list goes to China (.cn), while Hong Kong (last year’s ‘winner’) is now far from the top.

The past few weeks a number Evil Maid attack instances have been launched against very popular drive encryption implementations. These attacks pose a very serious threat against protected data since, once launched, they are certain to succeed. (more…)

Attackers once again are targeting an unpatched vulnerability in Adobe Reader that allows them to take complete control of a user’s computer, the software maker warned.

Adobe said it planned to patch the critical security bug in Reader and Acrobat 9.1.3 for Windows, Mac and Unix on Tuesday, the date of the company’s previously scheduled patch release for the PDF reader. According to Security Focus, attackers can exploit the vulnerability by tricking a user into opening a booby-trapped PDF file.

“Successful exploits may allow the attacker to execute arbitrary code in the context of a user running the affected application,” the security site warned. “Failed attempts will likely result in denial-of-service conditions.”

The bug is presently being exploited in “limited targeted attacks,” Security Focus added, without elaborating. Adobe said only that the attacks target Reader and Adobe running on Windows operating systems.

Those using Windows Vista with a feature known as data execution prevention enabled are safe from the exploit. Users on other platforms can insulate themselves from the current attack by disabling javascript from running inside the application, but Adobe warned it’s possible to design an exploit that works around that measure.

Earlier this week, the Center for Disease Control (CDC) issued a new malware scam, to warn citizens about a large malware campaign exploiting the public awareness of phishing attacks and the interest in H1N1 vaccinations.

The E-mail security company AppRiver detected a large amount of fake CDC e-mails which were sent at a rate of nearly 18,000 messages per minute, reaching more than 1 million in the first hour alone, according to the company’s blog post.

The e-mails claim users to register for a new state vaccination programm by creating a personal H1N1 vaccination profile at a fraudulent web page of CDC. However, anyone who clicks on the link, his computer is infected with malware, an executable copy of ZBot trojan horse. This trojan, also known as Zeus, powers one of the most active botnets which steal data of compromised machines.

According to the security company Sunbelt Software’s report, ZBot is listed as the second most prevalent malware threat.

Malware propagation can be succesful in a situation where social engineering is dominatinated by technology due to the public awareness and fear.